ipcop support

Hello fellow IPCops!

I'm currently working on a report for my Network Security module in college and I'm considering making the suggestion of using a IPCop firewall instead of a commerical product. Here's a quick summary of what my project is about:

I have to re-design the Network Security plan used in my college, there a total of around 350 computers (PC, Mac and Linux) spread over 3 buildings. There are also a couple of servers (not sure how many physically, or virtually for that matter) they are used for Windows Domain Controller, File Server, mail server and a Web Server (internal Intranet and extrenal sharepoint). I have to considered things like hacker attacks in my report and how I would stop them. I also have to come up with a plan to implement VPN, Net to Net and Host to Net (Road Warrior) aswell as setting up external access to the mail server for mail clients. I also have to implement some kind of content filtering and controll access to the web using a proxy server, the line is already filtered by a dedicated company but I have to consider onsite filtering too.

Currently my college uses a commercial sonicwall firewall (they were using a software firewall on the server until it caused connectivity issues), I'm thinking about suggesting IPCop as a possible alternative. Although I'm not sure because there is a much bigger network in my college than at my home.

Does anyone think that an IPCop would be up to the task at a cheaper price (I have to take the limited funding that my college has into account)?
There is plenty of old hardware sitting around in the college, anyone got any ideas of how much power this IPCop would need?

Thanks in advance,

jmd2012

With that many computers, be careful about using old (slow, not much RAM) computers that are just laying about. Other than that, it should work.

Thanks for the reply taustin! Well the kind of computers that will be laying around would be mostly last generation single core PC's, P4's with anything from 1.6ghz to 3ghz HT processors, they would either use DDR or DDR2 RAM Modules, and it wouldn't be hard to throw in 2GB+ of RAM into some of them. There's just a tonne of the same Dell model PC's sitting around so if it ever failed there would be a lot of spare parts anyway.

I was looking at some of the high end commercial models that cost between £1000-£10,000 and the max amount of RAM with them that I could find was about 2GB and 1GB flash memory, so if the IPCop was up to the same task then it would be a great cost saver! The only down fall I could think of is that this thing would need to be up and running 24/7, and since this would be normal computer hardware it might not be built to do that exactly. I guess building a back-up system as well wouldn't be a bad idea just in case...

What's the longest that anyone here as ever heard of an IPCop system running for?

IpCoppers can run for years. Literally. As my uptime signature below confirms.
Be careful to select best quality hardwares you can find, especially including power supply for 24/7/365 operations.
Quality does NOT mean latest and greatest. Sometimes older is better. But mostly modern p/supplies are better.
YMMV

_________________
I'm not a complete idiot. There's still a few pieces missing.

The specs you're talking about should be fine for what you're doing. It's when you get to less than 1 GB of RAM that you have to be careful, especially if you're using any addons, or doing filtering and such. Stuff that's more than just passing ones and zeros back and forth.

Dells should work fine - I've used them many times over the years. 24/7 shouldn't be an issue, depending on which line of Dell hardware you're talking about. Vostros are lighter duty, Dimensions are OK, Optiplex is, in my experience, the more reliable hardware. As bluegroper says, though, be very careful about using a reliable power supply if the downtime to replace one is going to be an issue. It wouldn't hurt, if you can, to put in a brand new power supply, and maybe make it oversized to reduce heat issues. Power suplies aren't expensive.

Well my college is packed out with spare optiplex 620's so judging by your advice I think they should be up to the job. They're completely screwless anyway so replacing Hard Drives and PSU would only leave it down for a matter of minutes because the only thing the PSU will be connected to will be the board and HDD.

Would it be worth considering a flash sata or CF, instead of a standard sata drive?

The 620's take a max of 4GB of RAM which you can pick up for £50 or less, a brand new PSU cost around the same so I'm guessing your talking about saving around £800+ when compared to a commercial product with a similar spec, probably going to need like 3 Nic's in it though.

Does the linux kernel in the IPCop support Gigabit Lan speeds, I forget

If cost is an issue, I'd think not. If you can get one cheap, though, it's worth a shot. IPCop has a specific installation profile for flash drives.



Yeah, but NICs are cheap, too.



No idea, since we don't really do much on local networks where it'd be noticable.

Before you select a product, consider what you want the firewall to do and how quickly it needs to do that. You also need to look at how many security zones you will need and whether you need shaping, multiple VLAN's, DNS,DHCP and other services, etc.

What does your upstream network look like?

Ok I've just read over my assignment brief again, it's a little simpler than I thought which is good .

@taustin, cost is an issue of sorts I have to look at it from the college's point of view they only get so much funding from the government etc. There is a medium budget, it's a case of if you really need it you'll probably get it unless it's a stupid request.

Getting an SSD hard drive would boost the IPCop's performance I'm guessing by quite a bit, it will boot into windows 7 twice as fast as normal drive from what I've read. There not all that expensive, it would probably be worth it for the performance increase in my opinion.

@up4fun, basically I have to re-design the network in terms of security, here's the general layout:

------//Clients//------------------//DC, DNS, DHCP//---------//Security//----//Internet + VPN//

------------------------------------|Web Server|
-----------------------------------|Print Server|
----------------------------------|Exchange Server|
| 20 Network Printers|--------|Windows File Server|
|350 computers (roughly)| -> |Windows Domain Controller| -> Firewall -> ISP Router -> VPN

//Networks//
Green: Around 350 PC's plus 20 printers, couple of switches etc... All connected via ethernet. To my best knowledge the printers and PC's are on different subnet's (handled by the Win server)

Blue X2: There are two wi-fi networks, the unsecure one for students and the staff one. The student one is on a completely seperate network I think .

Orange: The Web server has a windows sharepoint that can be accessed via the web with a user name and password checked against the windows DC, it runs on https only. The exchange server which deals with all the emails most also be accessed from the outside.

If I put in an IPCop firewall I'm guessing it would look something like this:


------------------------------------------------VPN (Net to Net and Roadwarriors needed)
--------------------------------------------------^
--------------------------------------------------|
---------------------------------------------- ______
-------------------Student Blue************| IPCop |
-------------------------------------------- / -----------\
-------------------------------------------/ ------|-------\
------------------------------------------/--------|------- \
-----------------------------------------/---------|---------\
--------------------------------------Staff Blue__Orange Net__Green Net
-----------------------------------------^-----------^--------Win DC
-----------------------------------------| -----------|------------|
-----------------------------------------***************************
-------------------------------------------------Pin Holes

Excuse the poor graphics, I'll see if I can make a better one tomorrow! There shouldn't be any DHCP running on the firewall really maybe for the wifi networks, other than that they will either be assigned statics or handled by the Windows DC. I guess I'll have consider port forwarding for the orange network as well.

I doubt there are any VLAN's being used in the college, network ain't all that great to little staff at the moment. There needs to be a VPN, I'm not sure if that's being handled by the Win DC... I'll ask tomorrow.

Content filtering is currently done down the line, it's ok. But they have choosen to block any uncatergorised sites on the firewall at college as well, which is kinda stupid when your trying to research, they have to manually add exceptions. Throwing Dansguardian in instead wouldn't hurt I don't think, they aren't even filtering google search or blocking direct https traffic it's all transparent. Using Copfilter might be a good idea, but I'm guessing that would put alot of strain on the IPCop with all those requests...

Thanks for the help!

That's why guessing is never a good design criteria. Either KNOW for a FACT,or find out, don't guess.

Dell's notorious for having proprietary parts (as well as being total crap, but that's not the point), so don't count on using an off the shelf generic power supply unless you know for sure it will work in a Dell.

_________________
For the 2.5^15th time :: Better Details = Better Answers

+1 We call it "Dull".

@VonSkippy, OK maybe I shouldn't try guessing to much then... I just know that on other OS's SSD can half boot times and the time it takes to load applications etc. I've never used one but I've heard good things about them, only down fall that I could think of would be either the price or the fact that they gradually diminish in size over time.

Well I ran over google search specifically looking for a Dell replacement PSU which I found for about £50, plus there's alot of used spare ones in other machines as back up's. All of this is just theory so unless the college IT staff like what I write in my project it will never actually be implemented lol.

Don't know if I agree about with you on the Dell issue (yet). Their older models aren't really all that great, but I think there newer optiplex series are easy to maintain because it's mostly screwless. That said I haven't really worked on any of other big brand PC's yet.

In the desktop cases, yeah, a standard power supply is taller than the case. In the tower cases, in recent years, they're usually standard power supplies. Good point, though.

(Don't agree on the total crap part, though. There's no much difference between them and any other brand. Depending on how much business you do with them, their service is pretty good these days, too.)

Why would boot time matter in a device whose uptime is measured in years? IPCOP boxes stay up 24/7/365 so does it matter if on the very rare, and few and far between times, it boots up in 45 seconds or 3 minutes?

Last I knew, IPCOP once booted, run's pretty much everything from RAM, so disk I/O has almost ZERO impact on the "speed" of the IPCOP system. Most disk activity is IPCOP writing logs.

SSD's don't get "smaller" over time - what is that Uni teaching you? SSD's get SLOWER over time because overwriting pre-written memory cells requires them to be erased, then written too. TRIM (an OS command) reduces/eliminates that by doing realtime garbage collection so that there are minimum blocks of deleted (but not cleared) data cells that will slow down the system writes. I don't know if IPCOP supports TRIM. The main downfall of SSD's are that they have a max write cycle limit, once that's reached, the drive becomes read-only. Since that limit is usually years of service, it's not as limiting as it sounds (but it is different from mechanical hard drives since they can last not only years, but decades and still operate like new).

Dell Power Supplies are wired differently then EVERY OTHER power supply on the planet. Putting a regular power supply in a Dell system gives you a nice little fireworks show, lots of blue smoke, and a even deader system then when you started.

If "screwless" cases are part of your buy/no-buy decision, you need to drop your tech career aspirations and go into management. Screwless cases are for the PHB's and marketing wonks that think picking up a screwdriver is some type of mystical technical magic. Any decent tech will tell you that screwless cases cause way more problems with poorly fitted parts then it saves time. Plus they have these new magic wands called "cordless screwdrivers" that take all the hard work out of operating one.

_________________
For the 2.5^15th time :: Better Details = Better Answers

That simply isn't true. At least, not universally so. I've replaced more than one with standard, off the shelf power supplies from Fry's. The older ones tended more towards proprietary parts, yes, and the desktop cases are too thin to hold a standard power supply, but the wiring is the same these days.



Hasn't been my experience, but mileage varies. (And they're not entirely screwless, even today. There's usually at least one mounting screw on the optical drive, and sometimes on the hard drive, too. But it's generally pretty easy to work on. Sometimes, add-in cards get cranky about fit, but that's no different from any other case I've ever worked on.

Hmm your probably right, boot speed isn't really a big issue here. I never thought that most of the IPCop system would be running in RAM (stupid me ), in that case I will recommend investing in high performance RAM instead of a SSD drive that will probably never be utilised.

I don't know what my Uni teachs me, not very much sometimes , thanks for the lecture on SSD now I know what really happens with them!

I have no experience with changing Dell PSU's so I can't comment there. I did once change the PSU on an old NEC (I experienced so fireworks) I'm guessing it didn't like the other universal PSU that I tried to use with it. Again the Dell replacement part is only around £50 so price isn't a major issue there.

I can't agree with you on the "screwless case" issue though. Nope. I'm a techy guy I use a screw driver alot, all my cases at home require one, I just like the way you can quickly take out a PSU, HDD, or DVD-Drive right out of a Dell without worrying about the screws. It's time saving just like hot swapable SCSI drives in a server (although you can remove them when their running of course). Yeah there are some parts that require a screw driver such as the usb's at the front, but in general it's more effective.

OK putting the actual hardware aside is there anything else I should be considering planning wise? Are their any downsides to using an IPCop firewall?

Thanks.

I cannot believe the criteria being applied here.
Do we need a screwdriver or not ???
Build the thing using decent parts, switch it on, and forget about your tools.

_________________
I'm not a complete idiot. There's still a few pieces missing.

All of that only matters if you need to do it often, i.e. crappy hardware or the need to add larger disks every month.
FYI, my main firewall is now almost 6 years old. IIRC I opened it 5 times, 3x to diagnose/replace wonky 2.5" drives, 1x to finally replace the drives-disaster with a CF card, 1x to insert a new CF card to be able to do a fresh IPCop v2.0.0 installation and keep the old one as a backup.


And why is that important for IPCop

_________________


-=[ If you want answers: provide lots of information, including tiny details! ]=-

Alright I agree I spent to much attention debating the hardware and defending Dell's pointlessly. I now understand all I need to do regarding hardware is make sure whatever I recommend is good enough quailty to keep the IPCop running stable.

I went off and did a little research regarding the possible disadvantages of using an IPCop instead of a commercial product here's a small list:

1: The lack of commercial support for the IPCop in Ireland which is were this firewall will be used (the closest support comes from 2 UK based companies in England).

2: In parts the documentation is incomplete, most of it is there but the parts that say "content to be written..." might put some people off. Although those parts are normally easy to get by without an explanation.

3: At the moment there isn't any main stream Content filter for the IPCop v2.0.x that functions 100% or that is easy to use. I know Copfliter is pretty good but it has some issues with the new squid proxy in v2.0.4 and you have know how to use the config files to get it to work the way you want it. v1.4.x has the URL Filter but it's not the lastest release of the IPCop anyone more.

4: There's only 1 english speaking community based support forum listed on ipcop.org, the rest are in other languages.

There's all that I could dig up for the moment, this is only my opinion so if anyone disagrees with it or has something else to add then please do.

The first 3 sound about right, 4 is completely off base. Why would you want more then 1 support forum per language - they would be a fragmented mess (PFSENSE, another fine firewall appliance decided to avoid ALL fragmentation and run's one, and only one, forum with different sections for different languages).

Just from your postings (so this assumption could be completely wrong) you seem to be going about this back asswards. First thing is to do a needs analysis (what does the Uni need in the way of network protection, broken down by zones) - Then you find possible solutions, and do a comparative analysis (which would include a pro's and con's for each possible solution). Then you do a cost analysis, once again with a comparative analysis. Then you write up your recommendations, being sure to clearly state any limitations or other gotcha's (you're a analysis, not a salesmen) on your primary solution (i.e. CYA).

We could argue why any decent Uni would have ANY type of content filters (after all, it's students are presumably adults and can decide for themselves what they should or shouldn't be viewing), but putting content filters on the EDGE Firewall is pretty stupid design (in my opinion). If you need content filtering (and you don't - and if the Uni administrators tells you different you and all the other students should have a big messy protest), make it an application server inside your server farm, and setup network blocking rules to prevent outbound access that would bypass it.

IPCOP (and many others like PFSENSE) do a fine job on their PRIMARY function, which is controlling inbound and outbound traffic on your network. All the other foo-foo stuff that people mention as shortcomings for IPCOP probably don't belong on an EDGE FIREWALL anyways. The trend (unfortunately) for IPCOP is that many HOME users are trying to make IPCOP into a Swiss-Army Knife of Firewalls, and it's NOT, never has been, never was meant to be.

_________________
For the 2.5^15th time :: Better Details = Better Answers

Hmm... I think your right on this one, I'll spend some time over the next week studying the college needs in more depth before posting usless comments...

Content filtering is a must in my college for legal issue tho, since some students can still be under 18 when they first join so they have to implement it for legal and moral purposes. I agree with your idea of splitting the firewall from the content filter tho.

OK I'll post again when I have so real solid reasoning!

cya!